More Blogs

New Ways to Force Browsers to be Safe

HTTPS is old (it was devised in 1994 by Netscape for Navigator), but it has always been seen as optional for most sites. That is changing, as the number of real-world abuses of users on the web increases. Using HTTPS makes safe browsing much easier. 2 developments in web technology make it easier to use HTTPS more often. One is a client-side technology, the other a new server-client standard.

Many sites support HTTPS but don't default to it. In order to help users invoke HTTPS on the site, the EFF (Electronic Frontier Foundation) and the Tor Project created HTTPS Everywhere, a Firefox add-on which reviews all HTTP requests from the browser to sites on a whitelist and changes them to appropriate HTTPS requests. HTTPS Everywhere maintains rules for over 1000 sites on the whitelist.

There are some downsides to HTTPS Everywhere, starting with the fact that it only works with Firefox. Other browsers, such as Google Chrome, don't support the features (mainly request rewriting) that HTTPS Everywhere needs. This may change in the future. The other problem with the HTTPS Everywhere approach is that the maintainers of it need to keep up with the zillions of sites on the Internet as opposed to having a generic solution.

HSTS (HTTP Strict Transport Security) goes at the problem in a different way. It is a standard through which web sites can tell clients (mainly browsers) that they will only support HTTPS communications.

If a client makes an HTTP request and HSTS is enabled on the server, the server responds with a special header 'Strict-Transport-Security' and a 'max-age' parameter specifying the number of seconds during which the client may only reconnect over HTTPS. While the initial HTTP request is unprotected, the client should know to use only secure communications thereafter.

HSTS has been supported in Google Chrome and Firefox since version 4 of each browser. Many web sites, including PayPal and a number of Google subdomains (chrome.google.com, checkout.google.com, etc.), support it.

In the long run, standards like HSTS are a better solution than hacks like HTTPS Everywhere. Currently Internet Explorer has no support for either and I see no indication that Microsoft plans to support them (or that the EFF is interested in supporting Internet Explorer for that matter).

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service